Code Red Lessons, Big and Small

IT managers and users alike who were affected by the Code Red worm have gone through the latest round of requisite security "lessons learned."

IT managers and users alike who were affected by the Code Red worm have gone through the latest round of requisite security "lessons learned." Those include: Stay on top of security news, install your patches, monitor server activity and err on the side of caution. And its working. The scheduled recurrence of the worm this month was substantially less damaging than its appearance last month—the direct result of security administrators scurrying to put in the patches. Reports said the Microsoft patch was downloaded more than a million times by Aug. 1. However, those that havent patched are now suffering from the far more dangerous Code Red II worm sweeping the Internet as this editorial goes to press.

But there are larger and more important lessons to be learned for corporate executives above the level of security admins. C-level officers have to be made aware that, while IT busily patched its servers, their companies are spending time and money not to improve the infrastructure but to fight a mere holding action against hackers to stave off the inevitable next worm or virus.

Meanwhile, the long-awaited economic recovery keeps getting pushed further into the future. Company executives have to learn that when basic system administration costs this much to merely stay in place, then they cant be too hopeful about the future, or about, as President Bush might say, making the pie higher.

Episodes such as Code Red delay any reasonable recovery of IT spending—and by extension the IT industry and economy at large—because security crises deflate any action that companies can take on more complex and potentially worthwhile IT projects. If it takes this much effort just to stay ahead of the curve, the risks of being innovative may be too great.

And its not just about security but all the elements of an IT infrastructure: Uptime, reliability, ease of use and general stability need improvement. IT managers and software vendors alike will have to start getting the foundation right before they can hope that nontechnical executives will give serious credence to funding more innovative IT programs.

To recover economically, businesses have to recover confidence in their IT infrastructures. That confidence isnt going to grow until there is evidence that an enterprise can withstand the latest attacks and schemes. This is where the little lessons and successes mentioned above come into play. IT administrators wont avoid all virus or worm attacks but will lessen their impact.

Once those are learned cold in the back office, we hope that IT managers can start giving the front office a renewed ability to rely on IT rather than fear it.